Secondary menu

You are here

NFC access control: cool and coming, but not close

If the operative word for near field communications access control is “cool,” then the obvious question is: “Are we there yet?”

The answer is no.

Despite limited rollouts that produced enthusiastic feedback from college students and other potential end users, the road toward widespread adoption of NFC-enabled smartphones being used for access control is full of detours and traffic lights. Some of the impediments are technological, some are about security and some are about when to take a leap of faith.

“Access control is a tough nut to crack,“ said Dave Holmes, vice president of mobility and NFC solutions at Identive Group, based in Santa Ana, Calif. Identive, which offers secure identification solutions, has been ramping up its NFC offerings in recent years, along with radio frequency identification and cloud-based services.

“It‘s a complete new paradigm: Touching something with a phone and have something happen,” he said. “ … Once the players are in sync, it’s a behavioral thing. I’m a 100-percent believer that mobile access will be huge.”

Near field communications (NFC) is a system of software and network interaction that allows smartphones and similar devices to establish two-way communication for a host of purposes that go well beyond calling someone, accessing the Internet, taking photos/videos or playing games.

Proponents see phones as an extension of your hand or your wallet. They see NFC used for building access; payment of bills and services; vending machines; boarding passes; subway trains; health care records … the list is endless.

And yet, interviews with industry insiders suggest that while NFC development is past the dreaming stage, it is not imminent.

Will more people be using smartphones to enter buildings five years from now? No doubt. Will NFC access control replace plastic cards? Probably not.

“I’m still a naysayer,” said Jay Hauhn, chief technology officer at Tyco Integrated Security, based in Boca Raton, Fla. and Princeton, N.J. “It’s like I’m from Missouri, the ‘show me’ state.”

Hauhn, who is actually from Maryland, points to the number of middlemen that need to be on the same page for the end user to enter a building with NFC access: mobile phone manufacturers, network providers, new operations systems managers and trusted service managers, for starters.

“I’m not convinced NFC will be widely adopted,” Hauhn said. “It sounds cool, but it’s a challenge. NFC won’t be successful unless it’s convenient, secure and less complex. The end user won‘t buy it because it‘s cool. They will buy it because it solves a problem.”

Despite Hauhn’s reservations, the buzz for NFC access control is real, especially when it comes from industry insiders such as Debra Spitler, vice president of mobile access solutions at HID Global, based in Irvine, Calif.

Spitler is bullish on the concept of smartphone access. Limited rollouts on college campuses such as Villanova University, the University of San Francisco and Arizona State University have convinced her that at the very least, the elements for market development exist.

“Students tell us, ‘I forget my ID card, but I never forget my phone,’” Spitler said. “‘I won’t turn around to go home and get my card. I will turn around and go back for my phone.’”

She added, “It’s cool to walk up to a building and gain access through your phone. People like the concept.”

Integrators are also working hard on secured document release services, so that office workers can avoid the "print sprint" from their desk to the copier by using an NFC-enabled device to access the materials they printed from their computer.

But Spitler is also a realist. She sees interludes between concept, marketing, consumer buy-in and profits for the intricate web of players involved to get that phone to work.

Call it the ecosystem. Call it pipework. Call it making all the middlemen happy. There are a lot of moving parts to this equation before NFC mobile access approaches mainstream status.

Who has access to the secure elements of an NFC device? Who is trusted with the “keys?” Who loads them? Who are the trusted service manufacturers? How will integrators generate recurring revenue? Does a lost NFC phone create a crisis or a momentary panic attack? These questions just scratch the surface when the manufacturers, integrators engineers and service managers consider the impact of NFC on their business.

End users are not yet beating down doors with blunt instruments demanding phones that drive a car for them, but all players are aware of the possibility that someone might unlock the mystery that will make NFC indispensable.

Rajesh Venkat is VP of marketing at Ingersoll Rand, based in Cleveland, which tested NFC’s potential at Villanova University from November 2011 through March 2012. The project involved 53 students and staff transforming their mobile phones into access control credentials for dormitories and academic buildings.

Venkat says three developments have to take place before widespread adoption of NFC mobile access is a reality. One is infrastructure that allows phone users to hold up their devices within inches for results; the second is improvements in the mobile devices themselves (he described NFC phone sleeves as “clunky‘’); and the third is new business models for vendors and integrators.

But it’s going to happen, Venkat says. “There are interesting turning points in the future. … A few years ago, you couldn’t find anyone without a Blackberry. This is probably a turning point for mobile access.”

Some integrators, whose revenue models and projects could be disrupted by NFC—those integrators who sell access cards that would, in theory, be replaced—are nevertheless preparing for what they consider the inevitable.

“Access control (through NFC) will be with us in the not too distant future,” says Eric Slabaugh, chairman and CEO of Absco Alarms, based in Lynnwood, Wash. While acknowledging that “I have yet to do an NFC-access control installation,” Slabaugh says he is immersed in the process of preparing for the inevitable.

“People want to get away from carrying cards. Your phone is already your GPS system. People will use it for Coke machines. Your phone is the one-stop shopping center of the world.”

Slabaugh said NFC access control is a proven concept. “We know it will work.”

Plastic security cards will not disappear in this brave new world, according to Slabaugh. Government agencies are highly unlikely to embrace the concept, much less slog through the technological ecosystem, to gain access to military bases, he said.

"Inevitably, the private sector will move to [NFC-based] access control,” according to Slabaugh.

The impediments are just that, Slabaugh said—problems that can be solved by smart people looking for a market niche to make money by giving customers what they want.

He cites his own personal fear of losing his smart phone. Not only does his phone house all of his contacts, but in the near future it could provide access to places, data and documents that he has been trusted with.

“How long does it take before you know you lost your phone?” asks Brad Wilson, vice president and COO of RFI Communications, based in San Jose, Calif. “When someone loses their ID card, these things often go unreported for awhile because nobody wants to look like a knucklehead. There’s a quicker turnaround time with the phone: ‘People can’t get in touch with me!’”

“Then we hit the kill command,” as soon as the owner finds a way to call the service provider or phone manufacturer to deactivate the phone. And while, in theory, someone could obtain unauthorized access or secured information with someone else’s phone, Wilson does not see that scenario as an unsolvable deal-breaker.

Integrators, he noted, are more concerned about recurring revenue—or more specifically, becoming marginalized when all the elements of NFC access control come together at the fingertips of the consumer.

When talking to integrators over the past year, “I detect a little bit of fear,” said Identive’s Holmes. “They are selling a lot of cards” and wondering about a cardless future and less revenue.

Wilson maintains that this problem is no different than other technological or industry evolutions that integrators must anticipate, rather than react to after the change.

“What impact does this have on integrators making money by selling boxes?” Wilson says. “Well, guess what—NFC is not going away. Get on board or fade away.”

“You need to be building value for preferred services,” he said. “You have to be adding value to the food chain. I call it keeping in cadence with evolving technology.’’

That is easier said than done. Monitoring the big dogs and trendsetters in the security industry is not a game for the insecure—especially when Apple, with 40 percent of the mobile phone market, won’t say whether its iPhone will be NFC-enabled in the near future. And nobody knows what mobile networks will do. “They will help dictate the level or pace of access control,” said Identive’s Holmes.

NFC access control is still on the horizon. How fast it becomes close enough to touch is an educated guess based on variables and vision.

“The mega trend is that the world is more mobile,” and it’s not going to slow down, said IR’s Venkat. “We have reached the point of no return. Mobile devices are an extension of the body.”

Comments

On the Monday before ASIS, September 23, Ingersoll Rand announced that aptiQmobile, which lets smartphones be used as access control credentials, is now available to all. aptiQmobile is being through channel partners.

It is available now on Android NFC-enabled phones regardless of choice of carriers and also works on unlocked phones. It does not require any accessory or SD card and works natively on NFC enabled Andriod phones.

For customers already using aptiQ readers, there is no need to replace anything. The existing aptiQ readers work with magstripe/prox/smart cards and the aptiQmobile credential. For new customers, aptiQ readers are multi-technology, offering an easy migration path from prox/magnetic stripe or smart cards to mobile. Customers can also continue to operate in a hybrid world of cards and mobile.

On the Monday before ASIS, September 23, Ingersoll Rand announced that aptiQmobile, which lets smartphones be used as access control credentials, is now commercially available to all. aptiQmobile is being sold through channel partners. It is available now on Android NFC-enabled phones regardless of choice of carriers and also works on unlocked phones. A Windows offering will be available soon. For the Apple i-Phone, Ingersoll Rand is offering a sleeve as an additional option to NFC-enable it.

For customers already using aptiQ readers, there is no need to replace anything. The existing aptiQ readers work with magstripe/prox/smart cards and the aptiQmobile credential. For new customers, aptiQ readers are multi-technology, offering an easy migration path from prox/magnetic stripe or smart cards to mobile. Customers can also continue to operate in a hybrid world of cards and mobile.

aptiQmobile adds unique technologies to enable secure peer-to-peer NFC mode while providing the convenience of using the mobile device instead of a key or Badge ID. In addition to the secure peer-to-peer NFC offering, which is available now, Ingersoll Rand is actively working on offering the NFC card emulation /secure element option working in conjunction with the carriers/TSM. There would be some customers who would prefer to have the secure element solution but Ingersoll Rand believes a good majority of customers will opt for the secure peer-to-peer option. The secure peer-to-peer offering provides some advantages in that it could be an universal /global solution, consistency of user experience at the end users, and works on unlocked phones.

In terms of security, highlighting what makes aptiQmobile a secure peer-to-peer NFC offering:

- The screen lock feature keeps the credential safe if the phone is lost or stolen.

- The credential information is stored in the same memory location as other app passwords and sensitive information.

- aptiQmobile stores a 128 bit AES encrypted credential that has to be decrypted by the access control reader.

- aptiQmobile uses patent pending, anti-playback technology that changes every time it is used, so cloning one transaction won't work a second time. Thus, every transaction is unique and cannot be duplicated. This prevents someone from trying to transfer the credential to a second device or someone trying to record and then send it back to the reader at another time.